AI coding agents are rapidly moving from experimental tools into core development workflows, creating security challenges that traditional application security programs were never built to handle. These agents can independently discover tools, install components, execute commands, and generate code with limited human oversight. This level of autonomy has exposed significant blind spots in inventory management, runtime behavior, and supply chain security that many organizations are now struggling to address.
Snyk’s launch of Evo Agentic Development Security is a direct response to these emerging risks. The offering is designed to give security teams visibility into what agents and supporting components are running across developer environments, enforce controls while agents are operating, and validate the code and artifacts they produce. The company argues that without this type of governance layer, organizations are effectively securing agentic development with incomplete visibility and insufficient controls.
“Ask a security leader for a complete inventory of the AI agents, MCP servers, and skills running across their developer machines — in most organizations, that inventory doesn't exist,”
“That is the gap Evo ADS closes. It discovers what is actually installed, governs what agents do while they run, and validates what they produce. The question is no longer whether your team is using AI agents. It is whether you have a governance layer — and right now, for most organizations, the answer is no.”
Manoj Nair
Chief Technology & Innovation Officer at Snyk
The announcement reflects a growing recognition that agentic development expands the attack surface in ways that static code scanning and traditional supply chain controls cannot fully contain.
Conditions Driving the Change
Development teams are rapidly adopting autonomous AI coding agents that can independently discover, install, and use tools, MCP servers, and skills without centralized oversight or proper inventory tracking.
Traditional application security tools were designed around human-written code and periodic reviews, leaving organizations without real-time visibility into what agents are actually doing on developer machines.
Supply chain attacks are now reaching developer environments through compromised or malicious skills and MCP servers that enter via agent toolchains, creating risks that existing SCA and SAST processes were not built to detect.
Agents can execute high-impact actions such as file modifications, terminal commands, and external system interactions with little to no guardrails between intent and execution, significantly increasing potential blast radius.
Many organizations still lack basic visibility into which AI agents, supporting components, and credentials are active across their development environments, making accurate risk assessment difficult.
The speed of agentic workflows has made traditional approval-based security models impractical, as human review often occurs too late in the process.
Early enterprise adopters of agentic development tools have already reported real incidents involving prompt injection, credential exposure, and unauthorized actions performed by agents operating without runtime controls.
Security teams are under pressure to secure agentic development without slowing down the productivity gains these tools are delivering to engineering organizations.
Existing governance and compliance frameworks were developed for static systems and human operators, creating a mismatch with autonomous agents that make decisions and take actions at machine speed.
The combination of unvetted agent components and unbounded execution has created a new category of risk that requires controls to be applied during agent operation rather than only before or after code is written.
What AI Security Looked Like Before
Before the rise of AI coding agents, AI security in development environments was primarily an extension of traditional application security practices. Security teams focused on securing code written by humans through established processes such as static application security testing, software composition analysis, and dependency scanning. These tools were typically applied during code review or as part of CI/CD pipelines before deployment.
The underlying assumption was that code originated from trusted developers or approved sources, and that risks could be identified through periodic scans and policy enforcement at defined checkpoints. Supply chain security efforts centered on known vulnerabilities in open-source packages and maintaining lists of approved components. Runtime security existed mainly in production environments through monitoring, web application firewalls, and runtime protection tools.
There was limited need to maintain detailed inventories of tools installed on individual developer machines beyond basic endpoint detection and response. Governance was largely pre-deployment focused, with policies enforced through code reviews, pull request checks, and pipeline gates. Once code passed these stages, attention shifted to production monitoring rather than continuous oversight of the development process itself.
This model worked reasonably well when development activity was driven by humans following relatively predictable workflows. Security teams could maintain reasonable visibility and apply controls at specific points in the lifecycle. The introduction of autonomous AI agents that can independently discover tools, execute commands, and generate code has fundamentally challenged the assumptions this model was built upon.
What AI Security Looks Like Now
AI security for development has shifted from a pre-deployment, human-centric model to one that must account for autonomous agents operating with significant independence across developer environments. Organizations now face the reality that substantial portions of code and configuration changes may be generated by agents that can pull in external tools and execute actions without passing through traditional review processes.
Visibility has become a foundational challenge. Security teams are discovering they often have little to no inventory of which AI agents, MCP servers, and skills are running on developer machines. This lack of visibility extends to the supply chain of components these agents rely on, creating opportunities for compromised or malicious tools to enter through agent workflows.
Runtime governance is now viewed as essential rather than optional. Instead of relying solely on scanning code after it is generated, organizations need the ability to monitor and constrain what agents do while they are operating. This includes governing actions such as file access, terminal commands, and interactions with external services in real time.
Output validation has also taken on greater importance. Code and artifacts produced by agents must be checked not only for traditional vulnerabilities but also for issues introduced through agent-specific risks. The combination of discovery, runtime controls, and output validation represents a more continuous approach to security that extends into the development environment itself.
“As we expanded our use of agentic development, it opened up a new attack surface,”
“We're seeing supply chain attacks, malicious skills and compromised MCP servers riding in on the agent's own toolchain, plus agents taking actions with no guardrails between intent and execution. The blast radius isn't bounded and we're early in the curve.”
Brendan Putek
Director of DevOps at Relay Network
This evolution reflects a broader recognition that agentic development creates risks that cannot be fully addressed by simply extending existing AppSec tools without meaningful changes to how controls are applied.
Our Take
AI Security Take
Security teams need to stop treating AI coding agents as just another developer productivity tool and start treating them as a new class of autonomous actor that requires dedicated security controls. The most immediate priority is establishing basic visibility across development environments. Without knowing which agents, MCP servers, and skills are active, organizations cannot accurately assess exposure or implement effective controls.
Runtime governance should be treated as a core requirement. Agents capable of executing commands and interacting with systems need guardrails that operate while they are running, not only after the fact. This means moving beyond traditional code scanning toward controls that can monitor, steer, or block actions based on policy in real time.
Supply chain security practices must expand to cover the components agents introduce into the environment. Malicious skills and compromised MCP servers represent a growing attack vector that existing dependency management processes are not equipped to handle. Organizations should require validation of agent components before they are permitted to execute.
Finally, security and development teams need to work together to define clear boundaries for agent behavior. This includes specifying what agents are allowed to do, what evidence must be captured, and what level of human oversight is required for high-risk actions.
“Agentic development security represents a fundamental shift in how developers think about code"
“The potential for agents to deliver value is enormous, but their impact demands mindful development and the right guardrails — so enterprises can deploy them securely and with confidence.”
Oliver Neuberger
Managing Director and EMEA and UKI CMT cybersecurity practice lead at Accenture
Without these boundaries and controls, the productivity benefits of agentic development will continue to come with unmanaged risk that becomes increasingly difficult to contain as adoption accelerates.